Wednesday, October 19, 2011

If you have an email address in the United States, either you or your spam filter is certainly familiar with this spam by now:

The spam with the subjects "ACH Payment (random numbers) Canceled" intends to imitate the National Automated Clearing House Association. NACHA is the organization that banks use to handle the electronic transfer of funds between domestic banks for things such as "Direct Deposit" or electronic bill paying.

The spam's message "The ACH transaction recently initiated from your checking acount was canceled by the other financial institution" is intended to elicit a panic response to get the recipient to click on the link in the email.

The problem has been getting worse because of two "upgrades" by the spammers.

First - they are using "drive-by" infectors, in the form of the BlackHole Exploit Kit. In the past a spam message such as this would have relied on trying to get you to download an '.exe' file and trick you into running it on your computer. Now, simply visiting the website will often be enough to infect your machine.

The second improvement, which comes and goes in waves, is that the criminals have compromised many "intermediary" web hosts to use in their spam. If the spammer were sending you to "mybadsite.com" your security software would quickly learn that "mybadsite.com" is a potentially harmful destination and block you from visiting.

To make sure their spam is delivered, the spammers have stolen the credentials from many website owners and have used these credentials to add one tiny file to their existing legitimate website. So, as a randomly chosen example, the spam link that claims to point to "nacha.org" may actually point to a page at "iscsconferencerecording.com". That page belongs to the International Society of Communication Specialists, so it probably has a "positive" reputation among security companies, who may be loathe to block the site.

What happens when we visit that page?

The only contents on the page "am2wdh.html" are calls to two Javascript files on other websites. In this case:

www.xmjhx.com /czc /js.jsand vscreative.com /images /js.js

The first time I loaded this, it caused a document location to be set to "www.nachaemployee.com"

A rerun of the same site pointed me instead to a blackhole exploit kit page at:

milloworks.com /main.php? page=890639ab2b6c1ab8

Which caused me to fetch:

milloworks.com /w.php ?f=70&e=4

This caused me to download the file:

www.vncoach.com /editors /nachareport20111910.pdf.exe

Another attempt sent me to:

tgqswpqqh.org.in from which we attempt to load the Blackhole Exploit page from

This drops a number of files on our computer, including Flash exploits, PDF exploits, and an EXE called "FIX_KB112755.exe" which gets downloaded from the IP address 213.123.52.133. FIX_KB111088.exe and FIX_KB113547.exe were also downloaded from there.

After the malware drops on the computer, we are forwarded through "dating-portal.net" where the affiliate engine sends us to an "Adult Friend Finder" sign-up website.

The point of this story, however, is not really what malware gets dropped, but the use of so many hacked intermediary servers to do the dropping.

In the first twelve hours of October 19, 2011, we saw 184 different websites used in this type of attack with an ACH spam subject line. In order of occurrence, with the first observed URL each, here is what we've seen today: